On March 8th, 2023, the UK Government introduced a new Data Protection and Digital Information Bill (2) into parliament. The government announcement of this bill claimed that “British Businesses to Save Billions Under New UK Version of GDPR”. What does this mean in practical terms for businesses and consumers?
This announcement needs to be put into context. Firstly, the political context is that the government has been under pressure to show some tangible benefits from Brexit. In September 2022, the UK Government announced “The Retained EU Law (Revocation and Reform) Bill 2022”. This requires the government to “..sunset the majority of retained EU law so that it expires on 31st December 2023..” and assimilate it into UK statutes where appropriate to ensure the supremacy of UK rather than EU law. Secondly, in the context of the legislative process, nothing will change until the bill has passed through three readings in the House of Commons and then three readings in the House of Lords followed by Royal assent. During this process there may be many changes and amendments.
In 2018, when the UK was still a member of the EU, the obligations under EU GDPR (General Data Protection Regulation) were incorporated into UK law through the UK Data Protection Act 2018. The new proposed legislation is tabled in the form of a set of amendments to that act. This makes the details of the proposal difficult to understand without a detailed knowledge of the chapter and verse of that act. To clarify this the government has published a set of explanatory notes that explain the intent of the changes. These show that the bill covers a range of areas and some of the highlights are set out below.
One purpose of the bill is to provide clarification in several areas:
The governments considers that the current legislation focusses too heavily on prescribed controls rather than risk-based outcomes:
It also makes changes to the Privacy and Electronic Communications Regulations 2003, relating to confidentiality of terminal equipment (e.g., cookie rules), unsolicited direct marketing communications (e.g., nuisance calls), and communications security (e.g., network traffic and location data).
There is currently no existing legislation relating to the regulation of private organizations providing digital verification services in the UK. The bill aims to increase trust in and acceptance of digital identities across the UK. It will establish a regulatory framework for the provision of digital verification services in the UK and enable public authorities to disclose personal information to trusted digital verification services providers for the purpose of identity and eligibility verification.
Smart Data is defined as the secure sharing of customer data, upon the customer’s request, with authorized third-party providers (ATPs). Organizations that are neither the customer nor original service provider (APPs) can then use this data to provide innovative services for the consumer or business. The bill is intended to enable:
This Bill would remove the requirement for paper registers to be held and stored securely in each registration district and enable all births and deaths to be registered electronically. This will remove the current duplication whereby births and deaths are registered both electronically and in paper registers. Currently the person registering a birth or death must physically sign the register in the presence of the registrar. It also makes it possible, at some time in the future, for the person registering to sign something else.
‘Trust services’ include services specifically relating to electronic signatures, electronic seals, timestamps, electronic delivery services, and website authentication. The eIDAS Regulation requires that such trust services meet certain criteria - standards and technical specifications - to allow for interoperability across the UK economy.
On the face of it this bill looks to provide useful clarification around the processing of personal data. It supports a risk-based approach to personal data processing rather than a prescriptive one. It enables greater use of IT within the public sector and control over the use of data by law enforcement. It provides control over digital identity verifications providers and smart data sharing. However, I do not see how this legislation will save UK businesses millions of pounds. It is a shame that there is no mention of the opportunities from tamper proof registers of personal data held by public bodies for security and durability. It may help SMBs that operate solely within the UK, but I doubt that it will help multinationals. These organizations have to deal with the plethora of privacy legislation around the world and this bill risks adding another to this burden. Much will depend upon whether the EU will recognize that compliance with the UK rules set out in this bill will satisfy GDPR in the context of Schrems II to allow personal data transfers and processing in the UK.
The mastermind behind Schrems II, privacy advocate Max Schrems will be speaking at the European Identity and Cloud Conference 2023 on Tuesday, May 9. You can get a ticket at Early Bird price until March 31.